When BHP Billiton chief executive
Marius Kloppers
confirmed he believed his company’s internal communications systems were being penetrated by Chinese cyber thieves, his words should have sent shudders through Australian boardrooms.

According to a leading expert on cyber security – Paul Twomey, Australian former chief executive of ICANN, the world’s main internet policy body – what Kloppers said rang warning bells for CEOs and board members at all levels of Australian business.

“I am not the least bit surprised by anything that Marius Kloppers said," Twomey tells the Weekend Financial Review. “He highlighted issues that should be at the top of the priority list of every Australian CEO and company board."

Kloppers’s fears about Chinese cyber espionage against BHP were initially expressed in private and only outed through the disclosure by WikiLeaks of the contents of a secret cable sent from the US embassy in Canberra to the State Department in Washington.

The cable detailed a conversation between Kloppers and US embassy officials in which, according to the document, the BHP chief outlined his concerns about the rising threat to the company’s secure internal information systems from cyber attacks, particularly from China, but also from competitors and other sources.

Kloppers confirmed his concerns to an earnings briefing last year, saying it was because of them that BHP had pushed hard for market-clearing prices for iron ore sales so that pricing information was readily, publicly available.

Late last year, Kloppers’ concerns received the highest level of endorsement from the US government intelligence community. The Office of the National Counterintelligence Executive – the umbrella body for all 14 US intelligence agencies – publicly named the Chinese and Russian governments as the chief sources of covert cyber attacks on US government and private computer networks.

Its report said that in both countries, the state was sponsoring computer hacking aimed at public and private US computer information systems in search of secrets ranging from the intellectual property of companies to defence secrets and private financial information.

Related Quotes

Company Profile

“Chinese actors are the world’s most active and persistent perpetrators of economic espionage," the US agencies said, with Russia “conducting a range of activities to collect economic information and technology secrets".

Australia’s intelligence community is a bit more coy than the Americans’.

The just-released, sanitised version of the federal government’s review of Australia’s intelligence agencies stopped short of naming China or any other country as a source of cyber attacks against Australian targets. But it does say: “State-sponsored hacking is becoming a national capability in some countries."

Its secret report is understood to have named China and a list of other governments in the Asia-Pacific region.

It says the danger of unauthorised cyber penetration of computer systems is the fastest growing and most alarming new challenge facing the operators of protected information and communications systems – government-owned and private.

The report strongly recommends a significantly stepped-up effort to counter the cyber threat.

But Twomey says state-sponsored nefarious cyber activity is just part of the exploding problem. Cyber espionage comes from a wide and growing range of interests seeking to steal political and economic secrets, intellectual property, and financial data and money.

Twomey says that the threat posed to business and businesses’ response to minimise the potential damage that might result are “absolutely CEO and board member" responsibilities.

These are not matters to be delegated to a business’s staff, he says. Twomey, whose cyber-security consultancy Argo P@cific, is doing much of its business in the US and Europe, says Australian corporate leadership needs to take responsibility for the security of their business’s network technology and computing systems.

“It is a technology risk but it is a management responsibility: CEOs need to understand the implications of the risk and act to ensure the risk is minimised," Twomey says. “Don’t delegate responsibility. If you simply ask your chief technology adviser ‘are we OK?’ human nature says that he is most likely to say yes."

Twomey suggests a checklist for CEOs that includes:

Establishing the nature of any risk from cyber attack;

Determining what information may be of interest to others and could be vulnerable to intrusion;

Deciding what measures should be put in place to reduce the risk of unauthorised cyber access to that information; and

Ensuring the business’s defence against cyber attack is adequate by regularly conducting exercises to test it and the people responsible for managing it.

Twomey and other experts say they believe the Australian government and its intelligence agencies have responded proactively to the cyber threat and that the Cyber Security Operations Centre, which is chiefly responsible for intercepting and repelling cyber attacks, is equal to world’s best practice.

The centre operates in conjunction with all levels of government and with industry.

But experts agree the business response is lagging.

The government plans to release a white paper on cyber security by midyear and released a discussion paper late last year setting out the challenges posed by the rapid expansion of the use of internet and digital technologies.

It has invited submissions ahead of the release of a new national policy, but so far the response has been limited.

Australia’s major business organisations have not made submissions. A spokesman for one of them says cyber security is an issue for individual businesses.

But business generally seems too complacent about the issue.

Despite estimates that cyber intrusions cost Australian businesses more than $1 billion last year, no significant insurance market has developed and most Australian businesses self-insure.

Experts worry there is too little awareness in the business community of the size of the financial risk that cyber attacks present, especially where a major theft of confidential private information might lead to a mass class action by clients or customers.

One of the issues being considered by the officials working on the white paper is whether Australia should follow the US and introduce a mandatory system of disclosure of cyber attacks.

The US law was introduced last year because of the reluctance of businesses to own up that their internal systems had been penetrated by cyber intruders. The US authorities decided that only mandatory disclosure requirements would reveal the full extent of losses to cyber attacks and allow an efficient insurance market to develop.

The idea of mandatory reporting in Australia already has strong expert backing.

The former head of the Australian Federal Police high-technology crime centre, Alastair MacGibbon, says similar laws are needed in Australia not only to force disclosure but to penalise companies that do not have adequate systems in place to protect information.

He agrees with Twomey that too many company executives still think cyber attacks are a “problem for the IT manager".

In addition to the cyber attacks now being reported daily – and the many others instead being dealt with in-house by governments and the private sector – there are fears that the growing sophistication of hacking methods means a lot more are not being detected.

A just-released report, the Independent Review of the Australian Intelligence Community, found the agencies charged with defending Australia’s electronic information networks from cyber-launched intrusions were seeing “only a portion of the hostile activity".

This has already raised serious national security concerns here and elsewhere.

In the US, attacks on sensitive government and defence systems have become so prevalent that it has prompted the Pentagon to warn that an act of computer sabotage could be considered an act of war if it caused sufficient damage to, for example, vital life-support infrastructure such as hospitals, power, water and electricity systems, which resulted in deaths.

Australia is supporting a US move to have cyber attacks which result in civilian deaths declared a war crime.

US Deputy Defence Secretary William Lynn admitted hackers working for a foreign government had stolen 24,000 top-secret files from the Pentagon in a single cyber strike. There was widespread speculation at the time that China was behind the attack.

“In the 21st century, bits and bytes can be as threatening as bullets and bombs," Lynn says.

The director-general of the Australian Security Intelligence Organisation,
David Irvine
, has warned businesses that cyber espionage is used against Australia on a “massive scale".

In a speech in Sydney on Tuesday, Irvine said “around the world we’ve seen attacks on national institutions or important elements of the commercial sector such as the banks which we depend on for our daily commerce – and all this simply as a means of expressing protest.

“What would happen if nation states bought their immensely superior cyber attack capabilities to disable military cyber command control systems, national air traffic control systems or electricity and gas grids?"

ASIO has also begun to focus on a potentially contentious cyber-security threat from the investments in Australian projects of state-owned foreign enterprises.

Some analysts believe there is a serious risk that such businesses could provide vehicles for state-supported cyber espionage and say this is a risk Australian companies contemplating joint ventures with state-owned foreign enterprises need to take into account.

Then federal attorney-general
Robert McClelland
revealed last July that Australian businesses suffered a reported 250,000 cyber security breaches in the first six months of 2011. The incidents related mainly to “stolen information including passwords and account details".

McClelland revealed the figures in introducing legislation to cover a range of new internet offences, including fraud and breaches of high-security networks.

The Australian Federal Police warned last month that online attacks on companies were becoming more common, following an offshore cyber attack that forced ANZ Banking Group and St George to close down their onshore broking sites.

A new risk for business from unwanted cyber activity has also emerged in the form of what Twomey calls “hacktivism" – groups or individuals with grievances who can use their cyber skills to attack the source of their grievances.

These range from campaigners attacking businesses, political parties or government agencies to individuals driven by nationalistic or geopolitical motives.

An alarming recent example is tit-for-tat hacking by individuals in Saudi Arabia and Israel. The hackers’ objectives were to cripple commerce for political reasons.

In one instance a Saudi-based hacker penetrated the internal systems of an Israeli bank and published the personal details of the users of its credit cards. An Israeli hacker responded with a similar attack on a Saudi bank.

A Saudi hacker group has also taken down the Israeli stock exchange and an airline, while Israel-based hackers responded by disrupting stock exchanges in Saudi Arabia and Abu Dhabi.

The world has already witnessed its first cyber war, which occurred in 2007 when Russia was blamed for launching a series of attacks designed to cripple Estonia’s banks, government ministries and broadcasters over the relocation of a World War II-era Soviet war memorial. Russia denied responsibility.

Despite all this, experts such as Twomey stress that a balanced view is needed of the benefits and risks of the new technologies introduced by the internet.

“We need to keep the benefits and the risks in perspective," he says. “The benefits are enormous. There are risks, but they are manageable."

Twomey says the challenge for business managers is to weigh up the benefits and the risks and to make judgments about the appropriate level of budget allocations for securing their sensitive information.

“How much you should spend to manage the risk to a reasonable level is a difficult judgment," he says. “People are still learning how to make that judgment."

But, he says, the most important first step CEOs need to take is to take the issue seriously and to take responsibility for dealing with it.